From 484c1c1ff8bfc6d61244bbb25ab32a391c515959 Mon Sep 17 00:00:00 2001 From: Lin Yinfeng Date: Sun, 31 Mar 2024 12:50:08 +0800 Subject: [PATCH] nixos/hledger-web: fix access control options --- .../manual/release-notes/rl-2405.section.md | 7 +++ .../modules/services/web-apps/hledger-web.nix | 45 +++++++------------ nixos/tests/hledger-web.nix | 2 +- 3 files changed, 25 insertions(+), 29 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index d9e066ffad61..4b3d6b79e5aa 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -271,6 +271,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead. +- `services.hledger-web.capabilities` options has been replaced by a new option `services.hledger-web.allow`. + + - `allow = "view"` means `capabilities = { view = true; }`; + - `allow = "add"` means `capabilities = { view = true; add = true; }`; + - `allow = "edit"` means `capabilities = { view = true; add = true; edit = true }`; + - `allow = "sandstorm"` reads permissions from the `X-Sandstorm-Permissions` request header. + - `xxd` has been moved from `vim` default output to its own output to reduce closure size. The canonical way to reference it across all platforms is `unixtools.xxd`. - The `stalwart-mail` package has been updated to v0.5.3, which includes [breaking changes](https://github.com/stalwartlabs/mail-server/blob/v0.5.3/UPGRADING.md). diff --git a/nixos/modules/services/web-apps/hledger-web.nix b/nixos/modules/services/web-apps/hledger-web.nix index be8ecc645e59..2e888d081a9f 100644 --- a/nixos/modules/services/web-apps/hledger-web.nix +++ b/nixos/modules/services/web-apps/hledger-web.nix @@ -26,28 +26,17 @@ in { ''; }; - capabilities = { - view = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - Enable the view capability. - ''; - }; - add = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enable the add capability. - ''; - }; - manage = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enable the manage capability. - ''; - }; + allow = mkOption { + type = types.enum [ "view" "add" "edit" "sandstorm" ]; + default = "view"; + description = lib.mdDoc '' + User's access level for changing data. + + * view: view only permission. + * add: view and add permissions. + * edit: view, add, and edit permissions. + * sandstorm: permissions from the `X-Sandstorm-Permissions` request header. + ''; }; stateDir = mkOption { @@ -89,6 +78,11 @@ in { }; + imports = [ + (mkRemovedOptionModule [ "services" "hledger-web" "capabilities" ] + "This option has been replaced by new option `services.hledger-web.allow`.") + ]; + config = mkIf cfg.enable { users.users.hledger = { @@ -102,16 +96,11 @@ in { users.groups.hledger = {}; systemd.services.hledger-web = let - capabilityString = with cfg.capabilities; concatStringsSep "," ( - (optional view "view") - ++ (optional add "add") - ++ (optional manage "manage") - ); serverArgs = with cfg; escapeShellArgs ([ "--serve" "--host=${host}" "--port=${toString port}" - "--capabilities=${capabilityString}" + "--allow=${allow}" (optionalString (cfg.baseUrl != null) "--base-url=${cfg.baseUrl}") (optionalString (cfg.serveApi) "--serve-api") ] ++ (map (f: "--file=${stateDir}/${f}") cfg.journalFiles) diff --git a/nixos/tests/hledger-web.nix b/nixos/tests/hledger-web.nix index f8919f7d4bd0..09941ca5c517 100644 --- a/nixos/tests/hledger-web.nix +++ b/nixos/tests/hledger-web.nix @@ -19,7 +19,7 @@ rec { host = "127.0.0.1"; port = 5000; enable = true; - capabilities.manage = true; + allow = "edit"; }; networking.firewall.allowedTCPPorts = [ config.services.hledger-web.port ]; systemd.services.hledger-web.preStart = ''